MACsec | 1

AUTOMOTIVE MACSECARCHITECTURE

Dr. Oliver Creighton & Dr. Lars Völker

Nov. 3rd/4th 2021

MACsec | 2

AUTOMOTIVE MACsecARCHITECTURE

PART I

Oliver CreightonOnboard Network Security ArchitectNov. 3rd/4th 2021

MACsec | 3

INCREASING FUNCTIONAL DEMANDS…

Electronic InjectionElectronic IgnitionCheck ControlCruise ControlCentral Locking...

Electronic Transmission ControlElectronic Climate ControlASC Anti Slip ControlABS Anti Lock Breaking SystemTelephoneSeat HeatingAutomated Mirror...

Navigation SystemCD ChangerBus SystemsACC Active Cruise ControlAirbagsDynamic Stability ControlAdaptive Transmission ControlRoll stabilizationXenon LightBMW AssistRDS/TMCEmergency CallServotronicElectr. Dampener controlOBD...

Electric DrivetrainAutomated DrivingDigitalization / ConnectivityIntegration Customer Eco SystemsCarSharingRemote-SW-UpgradeDigital After SalesPay-per-use- systemsOnline Services Ad-hoc-ConnecticityLED-LightPersonal RadioPreventive DiagnosticsField Data…

ACC Stop&GoInternet PortalTelematicsOnline ServicesCar Office.Speed Limit InfoSideview-CameraLane Assist3D Navigation withvariable POIInfot. FeaturesEngine Start-StopIntelligentGenerator ControlDiagnostics StrategyNew Logistics…

Brake Force DisplAdapt. Light Ctrl TelematicsOnline ServicesBluetoothCar OfficeLocal Hazard Integrated Safety Systemsi-DriveLH2PersonalizationSW-BugfixingAFS, Head Up Display, Car Comm.Comp,Efficient Dynamics…

1970 1980 1990 2000 2010 2020

MACsec | 4

…LEAD TO A PROLIFERATION OF NETWORKING TECHNOLOGIES

El

1986 1994 2000 2009 2018/2021 Next Gen

?

MACsec | 5

VEHICLE NETWORK 1957 (BMW 501/502)

Ignition

Lights Light Switch

SignalingIndicator

Starter

Turn SignalSwitch

Distributor

Radio

Base Features Options

Generator

Battery

MACsec | 6

VEHICLE NETWORK 2015 (BMW 7 SERIES)

Up to 63 ECUs!Base Feature Option

MACsec | 7

AUTOMOTIVE ETHERNET IS WELL-SUITED FOR ALMOST ALL ONBOARD USE CASES: “THE IP FAMILY IS GROWING”

Security is an expected quality for customers and of central importance to (emerging) legal regulation. Infotainment

Driver Assistance / Autonomous Driving

Service- and Network-oriented Architecture

Traditional Onboard Communication

MACsec | 8

END-2-END SECURITY MECHANISMS HIT A WALL

Scalability problems exist in particular for complex communication patterns and higher layers.

Function-oriented Security mechanisms are where we came from:• Every individual risk analysis leads to individual mitigations• SecOC, (D)TLS, and IPsec all offer dedicated protection

Is it time to push security to the „expected quality“ of protecting all onboard communication?

UI Elements

Infotainment Platform

Base Computing

Platform

InstrumentCluster

MACsec | 9

NEXT GENERATION ARCHITECTURE (1)

2021

BMW Backend

BMW components with competitive advantagesHigh performance compute with Ethernet backbone:• Functionality with global knowledge• Fast updates, updates over long time• Software driven• “Fast” changing

Rolling ChassisCommodity ECUs with clear function domain architecture and service architecture.• Functionality with local knowledge (smart sensors, actuators).• Vehicle architecture specifics / mechatronically coupled.• Specific solutions (cost and function).• Less or different need for updateability.• “Slow” changing.• High validation effort.• Zonal and modular physical cable hardness.

3rd Party Backend

Infotainment Plattform

Integration platform Autonomous Driving

Integration platform Basis

SecuritySeparation

I&K

Ethernet Backbone

Vehicle Access

Zonal cable harness

Drive Train

Driving Dynamics

Central Computing Platform

Integration platform Driving

CentralAccess

ZIM

MACsec | 10

BMW Backend

BMW components with competitive advantagesHigh performance compute with Ethernet backbone:• Functionality with global knowledge• Fast updates, updates over long time• Software driven• “Fast” changing

Rolling ChassisCommodity ECUs with clear function domain architecture and service architecture.• Functionality with local knowledge (smart sensors, actuators).• Vehicle architecture specifics / mechatronically coupled.• Specific solutions (cost and function).• Less or different need for updateability.• “Slow” changing.• High validation effort.• Zonal and modular physical cable hardness.

3rd Party Backend

Infotainment Plattform

Integration platform Autonomous Driving

Integration platform Basis

SecuritySeparation

I&K

Ethernet Backbone

Vehicle Access

Zonal cable harness

Drive Train

Driving Dynamics

Central Computing Platform

Integration platform Driving

CentralAccess

ZIM

2021

NEXT GENERATION ARCHITECTURE (2)

Let‘s protect 100% of traffic in here!

MACsec | 11

CRITICAL RUNTIME REQUIREMENTS

Go for the fastest possible startup times (e.g., < 100ms)!

Plan for the car electronics to constantly going to sleep and to wake up!

Make your solution scale for large networks with high connectivity!

MACsec | 12

BUT WAIT! MANUFACTURING IS INCREASINGLY BECOMING ONLINE:A “NETWORK INSTALLATION AND CONFIGURATION” CHALLENGE ON THE CLOCK

ECUs are powered on for < 10 minutes, do your thing here! “Wedding”

MACsec | 13

REQUIREMENTS TO SUPPORT PRODUCTION AND SERVICE

Build the secure networks fully automated!

Have processes and systems robust and distributed!

Design for an untrusted production environment!

MACsec | 14

DEFENSE IN DEPTH IS NEEDED AGAINST ALL POSSIBLE ATTACK VECTORS

Clamp and power management

Interior and exterior lighting

Wiper control

Gateway (LIN, CAN, FlexRay, Ethernet)

Access and Car Immobilizer

Diverse sensors and switches

Window control

All in One

3000 Coding parameters

2,4 Mio. Lines of Code

310 Pins to harness

Master of 130 LIN nodes

Example: Central ECU (2015)

MACsec | 15

AUTOMOTIVE MACsecARCHITECTURE

PART IIECU ARCHITECTURE

Ethernet & IP @ Automotive Technology Week

Lars VölkerTechnical FellowNov. 3rd/4th 2021

MACsec | 16

ECUµC/SoC

ECU ARCHITECTURE (1)

EthMAC

EthPHY

MII

We need keys!

Applications

EthernetController

Media Dependent Interface (MDI)“The wire”

Ethernet Transceiver

MACsec Key Agreement

”L2 – L7” Stack

App Stack

MACsec Key Agreement (MKA)

MediaIndependent Interface (MII)

MACsec | 17

ECU ARCHITECTURE (2)

ECUµC/SoC

EthMAC

EthPHY

MII

App Stack

Option “MACsec in the Ethernet PHY”Available now.Access to MII traces may be critical for high security use cases.

MACsec Placement

MACsec Key Agreement (MKA)

MACsec | 18

ECU ARCHITECTURE (2)

ECUµC/SoC

EthMAC

EthPHY

MII

App Stack

MACsec Placement

MACsec Key Agreement (MKA)

Option “MACsec in the Ethernet MAC”Best solution for ease and security.Long adoption time for all µC/SoCs.

MACsec | 19

ECU ARCHITECTURE (2)

ECUµC/SoC

EthMAC

EthPHY

MII

App Stack

Option “MACsec in Software”Cost effective solution with hardware crypto.Performance of hardware crypto very critical.

MACsec Placement

MACsec Key Agreement (MKA)

MACsec | 20

ECU ARCHITECTURE (3)ECU

µC/SoCEthernet Switch

EthPHY

MII

EthPHY

Int. Core

MIIEth

MAC

Stack

App

EthMAC

CAK_1

CAK_2

CAK_3EthPHY

EthPHY

1

2

3

Each MACsec port needs a CAK

MACsec placement MACsec Key Agreement (MKA)

Where to place MKA in Switch ECUs?• On the Switch (integrated core)• µC/SoC (transport keys into switch)• both

More options

CAK_0

0

CAK_0

0

0

MACsec between Switch and µC/SoC?4

CAK_4

4

MACsec and External PHYs?

CAK: Connectivity Association Key (symmetric long-term secret)

MACsec | 21

DEFENSE IN DEPTHImportant complementary solutions

MACsec placement MACsec Key Agreement (MKA)

ECU

Ethernet Switch

EthPHY

EthPHY

Int. Core

CAK_1

CAK_2

EthPHY

CAK_3

ECU µC/SoC

AppStackEthMAC

EthPHY

MII

CAK_3

ECU µC/SoC

AppStackEthMAC

EthPHY

MII

CAK_1Address Filtering on SwitchesSince switch ports are authenticated, strong address and VLAN filtering (layer 2 and 3) is possible and highly recommended.This stops address spoofing and unauthorized VLAN access.

!

!

!

!

Access Control Lists (ACLs) on ECUsWithout address spoofing, access control can be based on addresses.For example, SOME/IP ACLs or regular packet filters in ECUs.

SecOC for selected communicationLegacy to Ethernet, Secure Element to Application, etc.Highly critical use cases (e.g., vehicle immobilizer).

CAK: Connectivity Association Key

MACsec | 22

KEY INSTALLATION (1)

ECU µC/SoC

AppStackEthMAC

EthPHY

MII

CAK_1Tester

Challenge: Tester needs to install long term pairwise secret keys, here CAK_1.

For security reasons, keys need to be vehicle individual.

This means that keys need to be installed after assembly.

For this installation, diagnostics need to work for setting up MACsec keys.

Recommended solution: .Create bypass in MACsec implementation for certain bring up communication (e.g., via VLAN).

Allow needed diagnostic jobs for bring up here.

After key installation, MACsec can allow other communication.

MACsec placement MACsec Key Agreement (MKA) CAK: Connectivity Association Key

MACsec | 23

KEY INSTALLATION (2)On “Switch ECUs”, the diagnostics runs on the µC/SoC commonly, while the MKA could run on the switch.

Create a secure cryptographical “tunnel” between both chips with individual keys at the Tier-1 end of line processing.For example: anonymous Diffie-Hellman.

Push CAKs over this secure “tunnel” into integrated core on Switch on bring up.

Tester

MACsec placement MACsec Key Agreement (MKA)

Ethernet Switch

EthPHY

EthPHY

Int. Core

EthPHY

CAK_1

CAK_2

CAK_3

CAK_0

µC/SoC

MIIEthMAC

Stack

App

Diag

CAK_0

Switch ECU

CAK: Connectivity Association Key

MACsec | 24

Tester

KEY INSTALLATION (3)

MACsec placement MACsec Key Agreement (MKA)

And don’t forget that you need to bring up both ends of link!

With a “bypass VLAN”, this is very simple.

With a secure enable/disable sequence or similar, this can be challenging.

How much do you trust 3rd party repair shops?

ECU µC/SoC

AppStackEthMAC

EthPHY

MII

CAK_1

Ethernet Switch

EthPHY

EthPHY

Int. Core

EthPHY

CAK_1

CAK_2

CAK_3

CAK_0

µC/SoC

MIIEthMAC

Stack

App

Diag

CAK_0

Switch ECU

CAK: Connectivity Association Key

MACsec | 25

TESTING AND INTEGRATION

https://automotive-macsec.com

Aspect 1: “Prototypes / A-samples”

Proof that MACsec fits your requirements!

Aspect 2: “Testing MACsec”

Test cases and test suites for MKA.

Test cases and test suites for MACsec.

Hardware tools to enable MACsec testing.

Aspect 3: “Trace analysis vs. MACsec”

Solution: “Authentication only MACsec”

Hardware tools to record communication.

Wireshark support since Wireshark 3.4.

MACsec | 26

SUMMARYAutomotive MACsec Architecture

Automotive MACsec is ready:• E/E Architecture and ECU Architecture can clearly be envisioned.• Bring up of MACsec can be engineered to be secure, fast, and robust.• MACsec promises outstanding performance that scales with link speed by design!

• Automotive MACsec requires optimized MKA!• Find details of automotive MKA and more here: https://automotive-macsec.com

• Automotive MACsec has been proven in prototypes and A-Samples.• Testing, integration, and tools are ready.

Outlook: Any interest in defining a “Automotive Profile for MACsec”?

MACsec | 27

Technica Engineering GmbHLeopoldstraße 23680807 MunichGermany

Dr. Lars VölkerTechnical FellowLars.Voelker@technica-engineering.de+49-175-1140982

https://www.linkedin.com/in/lars-v-761b629/

BMW AG

80788 MunichGermany

Dr. Oliver CreightonOnboard Network Security ArchitectOliver.Creighton@bmw.de+49-151-601-56301

https://www.linkedin.com/in/oliver-creighton/